def evalvalue(_state): addr=_state.rdi _state.solver.push() for i,v in enumerate(c): val=_state.mem_r(addr+i,1) if(type(val)==int): print(val) if(val!=v): return Death else: _state.solver.add(val==v) if (_state.solver.check()==z3.sat): m=_state.solver.model() print("success ") for a in args: k = z3.BitVec(a, 64, state.ctx) de.append(m.eval(k).as_long()) _state.solver.pop() return Death else: print("faild ") _state.solver.pop() return Death
import TriggerBug import TriggerBug.z3 as z3 top_state = TriggerBug.TopState( file_name=r'./fight.xml', need_record=True, # 在需要合并(compress)state时,必须要保证被compress 的state对象的need_record=True,否则会报错,因为need_record=False的state是不会记录子state生命周期中所产生的修改,继而无法合并 oep=0, Ijk_unsupport_call= None, # if set,Ir jump kind call what I not support will call this func Ijk_hook_call=None # if set, all the Ir jump kind call will call this func ) flag = [] for i in range(420): k = z3.BitVec("C%d" % i, 32, top_state.ctx) flag.append(k) top_state.add(z3.ULE(k, 4), True) top_state.mem_w(0x0BE33D4 + i * 4, k, 4) def evalvalue(_state=TriggerBug.State): global flag # for i in range(7): # _state.add(_state.mem_r(_state.rdx + i*4, 4)== _state.mem_r(_state.rcx + i*4, 4), True) print("check") if _state.solver.check() == z3.sat: m = _state.solver.model() data = 0 for i in flag: flagv = None
import ctypes import TriggerBug import TriggerBug.z3 as z3 top_state = TriggerBug.TopState( file_name=r'./confused.xml', need_record=True, # 在需要合并(compress)state时,必须要保证被compress 的state对象的need_record=True,否则会报错,因为need_record=False的state是不会记录子state生命周期中所产生的修改,继而无法合并 oep=0, Ijk_unsupport_call= None, # if set,Ir jump kind call what I not support will call this func Ijk_hook_call=None # if set, all the Ir jump kind call will call this func ) flag = [] for i in range(24): k = z3.BitVec("flag%d" % i, 8, top_state.ctx) flag.append(k) #top_state.add(z3.And(z3.UGT(k, 5), z3.ULE(k, 128), top_state.ctx), True) top_state.mem_w(top_state.ebp - 0x60 + i, k, 1) top_state.mem_w(top_state.rbp - 0x60 + 24, 0, 1) def evalvalue(_state=TriggerBug.State): global flag for i in range(7): _state.add( _state.mem_r(_state.rdx + i * 4, 4) == _state.mem_r(_state.rcx + i * 4, 4), True) print("check") if _state.solver.check() == z3.sat: